[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4756) IPv6 Addresses are not supported in ACL peername



ando@sys-net.it wrote:
> Damon.Groenveld@ca.com wrote:
>> Given that the code (in aclparse.c) calls inet_addr() with the
>> peername.ip parameter, I can't see how it could will work with IPv6.
>>
>> The only possible workaround is using a regex instead of ip type which
>> by passes the inet_addr() call.
>>
>> I raised it as a bug since the latest version (as far as I can tell) is
>> meant to support IPv6 and there is no way that peername.ip does and
>> there isn't an alternative.
>>   
> The peername.ip was designed with IPv4 in mind.  A patch to support IPv6 
> in ACLs would be welcome, though.  In the meanwhile, I believe a regex 
> style would be the solution, but note that I have no idea of how IPv6 
> would be stringified in the peername.  Note that the whole issue is of 
> questionable relevance, since IP-based access checking is not considered 
> trustable.

Yes, peername.regex works fine.

Currently IPv6 peernames are reported as colon-separated hex octets 
followed by a space, then the port number: "xxxx:....:zzzz ppppp". It 
strikes me that we should be using URL format instead, which uses square 
brackets: "[xxxx:....:zzzz]:ppppp".

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/